re: how broken are antivirus products?

Jose,

Good to hear you're writing a book...I'm looking forward to it.

Here are some thoughts that may or may not be useful for your book, but may be extremely useful for discussion...

In ad hoc, undocumented testing (you know me and you've read my stuff, so you know that I tend to the more academic side when it comes to testing), a couple of the more popular A/V software packages picked up the viruses in question. I have access to Norton2000 at work, so I play around with it mostly.

I've taught my Win2K live forensics course at several locations, with many different set-ups and platform combinations. In every case so far, regardless of the A/V software in use, the lab that uses netcat as a trojan has installed w/o a hitch...none of the A/V software has picked it up.

NTFS alternate data streams still aren't checked by many A/V packages. I've specifically tested Norton, and have received anecdotal data from others claiming that malware that is normally detected has been hidden in ADSs and gone undetected.

About a year ago, I did some work for a client that involved writing a trojan that launched IE (in invisible mode if necessary) to perform it's network communications. I have some proof-of-concept Perl code, and the guys from SensePost have done a more formal and thorough job of development. However, some of that they didn't go over was a more specific implementation. For instance, the initial stub code could get on the system through any number of means. Being "new", it wouldn't necessarily be detected.
>From there, it could download (via IE) any manner of
code. For example, it could simply determine if there were any A/V products on-board, and disable them. Then, it could copy malware from the 'Net, and segment it as it came in, stuffing the various segments into Registry keys and/or ADSs. Then at some point in the future, it could reassemble and execute that code.

Just something to think about. I've written a couple of articles on detecting trojans and malware on Win2K systems, and I include this information in my course. If you want to chat about the Windows side of things, let me know.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Carv